Skip to content

Renderer2 lacks security documentation #46904

New issue
New issue
Closed
Closed
Renderer2 lacks security documentation#46904
Labels
P3An issue that is relevant to core functions, but does not impede progress. Important, but not urgentarea: docsRelated to the documentationbugsecurityIssues that generally impact framework or application security
Milestone
Backlog
@meeque

Description

@meeque
meeque
opened on Jul 20, 2022

Description

Angular docs are doing a great job at covering security topics. In particular, API docs warn about methods that could be used in an insecure manner. (Big thank you to the community!)

Unfortunately, Renderer2 API docs do not say much about security. In particular, nothing regarding XSS. However, the ElementRef API docs state the following:

Alternatively you can take a look at Renderer2 which provides API that can safely be used even when direct access to native elements is not supported.

Wouldn't it be helpful to mention this in the Renderer2 API docs? So that potential users know what to expect...

What is the affected URL?

https://angular.io/api/core/Renderer2

Please provide the steps to reproduce the issue

  1. Read Renderer2 API docs
  2. Read ElementRef API docs

Please provide the expected behavior vs the actual behavior you encountered

I would expect the the Renderer2 API docs to document security implications. Specifically regarding XSS. ElementRef docs say that Renderer2 "provides API that can safely be used".
If this is true (and superficial testing seems to support it) I'd expect that the Renderer2 API docs mention it explicitly.

If there are any exceptions to this general rule, I'd expect the Renderer2 API docs would show a clear "USE WITH CAUTION" security warning. E.g. if the following method calls lead to XSS, I'd expect a warning in the API docs:

renderer2.setAttribute(a, 'href', 'javascript:alert(1)');
renderer2.setAttribute(svg, 'onload', 'alert(1)');

Alternatively, if the claims that ElementRef docs make about Renderer2 are inaccurate or misleading, I'd expect them to be adjusted or removed.

The actual situation is that Renderer2 API docs do not tell me anything about security. And I feel a little lost.

Please provide a screenshot if possible

Should be trivial to reproduce without screenshots, but I can provide some on demand...

Please provide the exception or error you saw

None.

Is this a browser-specific issue? If so, please specify the device, browser, and version.

Not browser-specific imho.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P3An issue that is relevant to core functions, but does not impede progress. Important, but not urgentarea: docsRelated to the documentationbugsecurityIssues that generally impact framework or application security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions